CVE-2025-2332: 
WordPress vulnerability analysis and mitigation

The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to PHP Object Injection in versions up to and including 2.13 via deserialization of untrusted input in the 'returnMetaValueAsCustomerInput' function. This vulnerability allows unauthenticated attackers to inject PHP objects, though no known POP chain exists in the vulnerable software itself (NVD).

The vulnerability exists in the plugin's handling of deserialization operations. The issue specifically occurs in the 'returnMetaValueAsCustomerInput' function where untrusted input is deserialized without proper validation. The vulnerability has been assigned a CVSS v3.1 score of 9.8 CRITICAL with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a critical severity level with network accessibility and no required privileges or user interaction (Wordfence).

While the vulnerability itself allows for PHP Object Injection, its actual impact is dependent on the presence of other plugins or themes that contain a POP chain. If such a chain is present, attackers could potentially delete arbitrary files, retrieve sensitive data, or execute code depending on the specific POP chain available (NVD).

The vulnerability has been patched in version 2.14 of the plugin. Users are advised to update to this version to protect against potential exploitation (WordPress Changeset).